Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

    Tuesday, May 5, 2026 In: Threat Research Print

    Date: 05/05/2026 

    Severity: High

    Summary

    A newly identified set of China-aligned campaigns is targeting government entities and critical infrastructure across South, East, and Southeast Asia, plus one NATO member state. This activity is being tracked as SHADOW-EARTH-053. Nearly half the targets were also compromised by SHADOW-EARTH-054, sharing similar tools and TTPs, but likely exploiting the same vulnerabilities independently. The group leverages N-day flaws in Microsoft Exchange and IIS servers (e.g., ProxyLogon) to gain initial access. They deploy GODZILLA web shells and use DLL sideloading to install ShadowPad for persistence. These attacks show that unpatched or legacy Exchange systems remain highly vulnerable to compromise, credential theft, and long-term access.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    time.microsofttrends.com

    erp.kaspersky.icu

    dns.dnsmap.icu

    cert.kaspersky.icu

    news.kaspersky.icu

    ns1.kaspersky.icu

    ns2.kaspersky.icu

    www.kaspersky.icu

    dns.dnserver.life

    nslookup.dnserver.life

    router.dnserver.life

    ww12.dnserver.life

    ns1.group-ib.icu

    ns2.group-ib.icu

    www.group-ib.icu

    check.dnsmaps.com

    update.kaspersky.icu

    check.office365-update.com

    zimbra-beta.info

    zimbra.life

    microsi0ft.com

    http://209.141.40.254:8443/update

    IP Address : 

    141.164.46.77

    96.9.125.227

    194.38.11.3

    209.141.40.254

    45.61.62.172

    Hash : 

    f43748a809680a23272ec684a8cce9af071ad165c3b01acdcd7fe501a0949745

    0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed

    0fff684fa209cb79ab1104da3cfbbf4c950078e14e54c2564d130abbd4e464a9

    4f77b4fcfde7abb7e6d0e36104e433abfed3a9d9938bf7fbe0e9d1a0b2ccf265

    a5477ff2b3d6d475558abf03878dff0cca98c20c17aae35a8ad8e99e03293f89

    83e9f99a377566cf30df0ad71ca8522613b14d45e3e2eaead4a336509d26bef3

    996fb4f7d1b3150490380c4ce9c7c3d60fac33bd6a7c1e3a46487021964cf3bb

    3dffbfcb825a70e477474e88b18679557ef467de37fc26e45ddbe572f520c52a

    a65483b86847995a67de0fcb2a5487cdbc96361cb2e9dea8ab74005c8fef65ce

    5bf35daaf26508fc136157818ead48cc5c7fa3a3e6273cde2c757673586a78a6

    41f74c3fc32752b5c7b88e7a5723441cb827958bc21b647fffae469407f1ce99

    2dd93edc8cc64747a7ca94b6827dc4e5b1e385d493ed4450272dd1dfc52a6255

    f19a67b9c8805b335676f0fc17495839327f8135f791aa11d5d9adba2c83cc1c

    5eb2122c4c645543966b07b94faccb5b4697561163382f21fb3b793b0d5cc9fe

    eff699456ed4c5938d53afdb8df0836d7cb953ed933ed1a2899ec43f6f9e540b

    75d0d5080afd091114818d082babc418ccb43d545d9fda1fb715af6c129b6e51

    0c63857269205f6505c259a56ea53b23b2bf7432aabb8647d59b321232ca7e36

    97ea803792929f802388e9d0e75a3c79c28260d589bc2d87902c73c729ed6f9e

    b8a2a9ca58fb2b383a52f8be75cae44f08f2c3f8907bd8661ee8a4a78fd7dda3

    0eb72c1f1605d999488d903021d82a9ff4b937e6c1a1da50c55440f018e83ad9

    3f6382418d0137f6ecbef23bfd981938bb86a935b27203f5b053e3710e835f97

    884601e54fc2e6833167d33436b68e952020cdb99507b2807feec1bc086027c2

    26f4c7f37448911310adf20e6e74aac60e92b97591f4ac9e5e21cc503be8da16

    8df8282da75ebe6cf1a535739991e3f298f903974a05966503d7fd2919ecea4e

    e12c2682a7949661fa99bf46723a1405c658d109411de3bf6cb04c57337cc020

    03a89ea5a8604e8bc09a4249211e20404a2c7047adda65a57deeb46abb1fb116

    d083b6d82765faffe738ebd0678c8eb01c1f1fac8d3c51ffdfe40e34da3ce902

    0c8c562ed7343d28c76d93a88bd0534440d0e71292ebcee66314d6d5c2f34403

    23c2ebc8f9bac96b2fbbb9b00b457c48d65a9f66ec24fbfba339eeefd0539ad7

    55e929971a7975c7f9dfa4d677d5ec357af23a4ca208ef8f920804743e9011cd

    c935ded2729f0513672e261170d73d4e0e13a9b837f104d840c44a39b84c0d71

    165cc3a9a40e04c469e5c818943920f38dc48db2c2365f1a71bb52c9582f0ea9

    1a5da90175ff7b55ddafcdb816adf574b92a112604019b219d82adab820fb3a2

    4173c218efe31a6b36df714cf4e1073696f3acbe7edd1b7fcba01e4a2d923a27

    188c72b101cd8ad96ef971e8943bddb3acd9dc45fe1d8719217d171e600a29aa

    9dda789b85fce6294f91a79b7271a93de36dfcef21fc680dc2bf4235141e47df

    2dc1ad07b7529af3ba5c11a58519681909971a81

    3229ba46dd54802093c81e6e2123fd1520faf960

    128f3ad395f86be6569ef2a957d42902a910de6c

    9a83466f6c34e588ba3e99d6cbfac0102e173cdd

    9244cd99a27a8741a78e0b449cea063fdcfb0090

    8a5ac2682d70eacff7eb554e242227c82e2baa94

    31b3dd9ee46805b0ed6e6dd6a5ee17facadfd2ff

    3f858c007d4d49dd7fa260bcc786c34d4f78dbf5

    579bc9a640ac939b1f75eda852815f063cebd332

    824f13f758ce278f72a4aeaf1e15a703d5107dd7

    ec38a56f9368eac67106a4ad61538e12053f03d1

    35cc0b684b0906aed9d672a1a8635510fe91aa67

    2dd614427b80cdd38e8bbe0ace24a484671c0da2

    4541e55b70ca12ae4a79e38c0b4c31f067eb5cdc

    36061be6ccd17e87e3d1ef15f8e7058f279439d1

    861a686461ad830b268977808ba56730616c7684

    95015643ecb3ba321b8cff8eca2907e5356e8659

    ac7ffce58c70fb9f837e11a44d655d6c28e276f5

    e1bcf36ed2f7a60dd0dde52abf11c942e2657e31

    b8d586d376b342b08b3dd8a77c788480e025ad12

    211e1fc502152ea272edb5a81a5b4405a28c48f9

    ebfd92291714e6d7e57cf4830aa8f87950b796bb

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "dns.dnsmap.icu" or url like "dns.dnsmap.icu" or siteurl like "dns.dnsmap.icu" or domainname like "dns.dnserver.life" or url like "dns.dnserver.life" or siteurl like "dns.dnserver.life" or domainname like "ns1.kaspersky.icu" or url like "ns1.kaspersky.icu" or siteurl like "ns1.kaspersky.icu" or domainname like "www.group-ib.icu" or url like "www.group-ib.icu" or siteurl like "www.group-ib.icu" or domainname like "erp.kaspersky.icu" or url like "erp.kaspersky.icu" or siteurl like "erp.kaspersky.icu" or domainname like "ww12.dnserver.life" or url like "ww12.dnserver.life" or siteurl like "ww12.dnserver.life" or domainname like "check.office365-update.com" or url like "check.office365-update.com" or siteurl like "check.office365-update.com" or domainname like "microsi0ft.com" or url like "microsi0ft.com" or siteurl like "microsi0ft.com" or domainname like "news.kaspersky.icu" or url like "news.kaspersky.icu" or siteurl like "news.kaspersky.icu" or domainname like "nslookup.dnserver.life" or url like "nslookup.dnserver.life" or siteurl like "nslookup.dnserver.life" or domainname like "time.microsofttrends.com" or url like "time.microsofttrends.com" or siteurl like "time.microsofttrends.com" or domainname like "check.dnsmaps.com" or url like "check.dnsmaps.com" or siteurl like "check.dnsmaps.com" or domainname like "zimbra.life" or url like "zimbra.life" or siteurl like "zimbra.life" or domainname like "www.kaspersky.icu" or url like "www.kaspersky.icu" or siteurl like "www.kaspersky.icu" or domainname like "ns2.group-ib.icu" or url like "ns2.group-ib.icu" or siteurl like "ns2.group-ib.icu" or domainname like "cert.kaspersky.icu" or url like "cert.kaspersky.icu" or siteurl like "cert.kaspersky.icu" or domainname like "ns2.kaspersky.icu" or url like "ns2.kaspersky.icu" or siteurl like "ns2.kaspersky.icu" or domainname like "router.dnserver.life" or url like "router.dnserver.life" or siteurl like "router.dnserver.life" or domainname like "zimbra-beta.info" or url like "zimbra-beta.info" or siteurl like "zimbra-beta.info" or domainname like "ns1.group-ib.icu" or url like "ns1.group-ib.icu" or siteurl like "ns1.group-ib.icu" or domainname like "update.kaspersky.icu" or url like "update.kaspersky.icu" or siteurl like "update.kaspersky.icu" or domainname like "http://209.141.40.254:8443/update" or url like "http://209.141.40.254:8443/update" or siteurl like "http://209.141.40.254:8443/update"

    Detection Query 2 :

    dstipaddress IN ("194.38.11.3","209.141.40.254","96.9.125.227","141.164.46.77","45.61.62.172") or srcipaddress IN ("194.38.11.3","209.141.40.254","96.9.125.227","141.164.46.77","45.61.62.172")

    Detection Query 3 :

    sha1hash IN ("ac7ffce58c70fb9f837e11a44d655d6c28e276f5","3f858c007d4d49dd7fa260bcc786c34d4f78dbf5","211e1fc502152ea272edb5a81a5b4405a28c48f9","95015643ecb3ba321b8cff8eca2907e5356e8659","36061be6ccd17e87e3d1ef15f8e7058f279439d1","2dd614427b80cdd38e8bbe0ace24a484671c0da2","4541e55b70ca12ae4a79e38c0b4c31f067eb5cdc","824f13f758ce278f72a4aeaf1e15a703d5107dd7","e1bcf36ed2f7a60dd0dde52abf11c942e2657e31","31b3dd9ee46805b0ed6e6dd6a5ee17facadfd2ff","ebfd92291714e6d7e57cf4830aa8f87950b796bb","861a686461ad830b268977808ba56730616c7684","2dc1ad07b7529af3ba5c11a58519681909971a81","3229ba46dd54802093c81e6e2123fd1520faf960","128f3ad395f86be6569ef2a957d42902a910de6c","9a83466f6c34e588ba3e99d6cbfac0102e173cdd","9244cd99a27a8741a78e0b449cea063fdcfb0090","8a5ac2682d70eacff7eb554e242227c82e2baa94","579bc9a640ac939b1f75eda852815f063cebd332","ec38a56f9368eac67106a4ad61538e12053f03d1","35cc0b684b0906aed9d672a1a8635510fe91aa67","b8d586d376b342b08b3dd8a77c788480e025ad12")

    Detection Query 4 :

    sha256hash IN ("188c72b101cd8ad96ef971e8943bddb3acd9dc45fe1d8719217d171e600a29aa","9dda789b85fce6294f91a79b7271a93de36dfcef21fc680dc2bf4235141e47df","e12c2682a7949661fa99bf46723a1405c658d109411de3bf6cb04c57337cc020","0eb72c1f1605d999488d903021d82a9ff4b937e6c1a1da50c55440f018e83ad9","884601e54fc2e6833167d33436b68e952020cdb99507b2807feec1bc086027c2","c935ded2729f0513672e261170d73d4e0e13a9b837f104d840c44a39b84c0d71","23c2ebc8f9bac96b2fbbb9b00b457c48d65a9f66ec24fbfba339eeefd0539ad7","5bf35daaf26508fc136157818ead48cc5c7fa3a3e6273cde2c757673586a78a6","41f74c3fc32752b5c7b88e7a5723441cb827958bc21b647fffae469407f1ce99","f19a67b9c8805b335676f0fc17495839327f8135f791aa11d5d9adba2c83cc1c","b8a2a9ca58fb2b383a52f8be75cae44f08f2c3f8907bd8661ee8a4a78fd7dda3","0c63857269205f6505c259a56ea53b23b2bf7432aabb8647d59b321232ca7e36","97ea803792929f802388e9d0e75a3c79c28260d589bc2d87902c73c729ed6f9e","a65483b86847995a67de0fcb2a5487cdbc96361cb2e9dea8ab74005c8fef65ce","f43748a809680a23272ec684a8cce9af071ad165c3b01acdcd7fe501a0949745","0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed","0fff684fa209cb79ab1104da3cfbbf4c950078e14e54c2564d130abbd4e464a9","4f77b4fcfde7abb7e6d0e36104e433abfed3a9d9938bf7fbe0e9d1a0b2ccf265","a5477ff2b3d6d475558abf03878dff0cca98c20c17aae35a8ad8e99e03293f89","83e9f99a377566cf30df0ad71ca8522613b14d45e3e2eaead4a336509d26bef3","996fb4f7d1b3150490380c4ce9c7c3d60fac33bd6a7c1e3a46487021964cf3bb","3dffbfcb825a70e477474e88b18679557ef467de37fc26e45ddbe572f520c52a","2dd93edc8cc64747a7ca94b6827dc4e5b1e385d493ed4450272dd1dfc52a6255","5eb2122c4c645543966b07b94faccb5b4697561163382f21fb3b793b0d5cc9fe","eff699456ed4c5938d53afdb8df0836d7cb953ed933ed1a2899ec43f6f9e540b","75d0d5080afd091114818d082babc418ccb43d545d9fda1fb715af6c129b6e51","3f6382418d0137f6ecbef23bfd981938bb86a935b27203f5b053e3710e835f97","26f4c7f37448911310adf20e6e74aac60e92b97591f4ac9e5e21cc503be8da16","8df8282da75ebe6cf1a535739991e3f298f903974a05966503d7fd2919ecea4e","03a89ea5a8604e8bc09a4249211e20404a2c7047adda65a57deeb46abb1fb116","d083b6d82765faffe738ebd0678c8eb01c1f1fac8d3c51ffdfe40e34da3ce902","0c8c562ed7343d28c76d93a88bd0534440d0e71292ebcee66314d6d5c2f34403","55e929971a7975c7f9dfa4d677d5ec357af23a4ca208ef8f920804743e9011cd","165cc3a9a40e04c469e5c818943920f38dc48db2c2365f1a71bb52c9582f0ea9","1a5da90175ff7b55ddafcdb816adf574b92a112604019b219d82adab820fb3a2","4173c218efe31a6b36df714cf4e1073696f3acbe7edd1b7fcba01e4a2d923a27")

    Reference:  

    https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html          


    Tags

    MalwareThreat ActorChinaCyber EspionageAsiaSouth AsiaNATOCritical InfrastructureGovernment Services and FacilitiesExploitShadowPadCredentialTheftweb shellDLLSideLoading

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.